feat(ip): use larger IPv6 range by default

[Altahrim]

Summary

Some providers assign /48 IPv6 blocks instead of /64 so it sounds safer to use this mask by default.

Checklist

• Code is properly formatted
• Sign-off message is added to all commits
• Tests (unit, integration, api and/or acceptance) are included
• Screenshots before/after for front-end changes
• Documentation (manuals or wiki) has been updated or is not required
• Backports requested where applicable (ex: critical bugfixes)

[Altahrim]

/backport to stable31

[Altahrim]

/backport to stable30

[Altahrim]

/backport to stable29

[kubrickfr]

Which providers give out /48? I want to sign up immediately!

More seriously, I think this PR is a bad idea. I know of some ISPs who give out /56, but what problem does this PR actually solve? Blocking IPs is effective against botnets infecting machines and using them to brute-force passwords. If they have admin access to that machine, they can ask for a virtually unlimited of IPv6 addresses in the /64 of the network only, whether or not the ISP attributes a larger PD to the customer.
If botnets is not your target attack vector, then IP filtering is not really going to help. I can have access to thousands of IPs (v4 and v6) by using any commercial VPN, heck I can even get new IPs by just asking my broadband router nicely.

By blocking a /48 you're probably netting a whole European country or US State provider mobile network. That is going to be a lot of false positives to deal with.

[Altahrim]

Hello,

We have at least the example of Init7.
/48 was the recommendation in RFC 3177, but in 2011 RFC 6177 suggested something between /64 and /48.

I agree there is still a lot of ways to avoid brute-force protection but the goal is to make it a bit more difficult for a home user to bypass it.

We may use a different approach if we see too many false positives but Local Internet Registries (mostly ISP) should receive /32.

[DanScharon]

By blocking a /48 you're probably netting a whole European country or US State provider mobile network. That is going to be a lot of false positives to deal with.

Indeed.

10 users in our university's wifi accessing the same expired public link already trigger the bruteforce protection (because it is interpreted as "bruteforcing" public tokens).

Now with this change not only the wifi network segment but also a whole chunk of many other network segments on campus will be throttled or blocked because of handful of users clicking on an expired link.

This is a terrible decision IMHO

[Altahrim]

Hello @DanScharon, @kubrickfr

I created a follow-up here: #52223
It uses a smaller range by default and add a config option

[jameskimmel]

Which providers give out /48? I want to sign up immediately!

https://www.init7.net and every other ISP that follows Ripe 690 recommendations.
https://www.ripe.net/publications/docs/ripe-690/

10 users in our university's wifi accessing the same expired public link already trigger the bruteforce protection (because it is interpreted as "bruteforcing" public tokens).

Now with this change not only the wifi network segment but also a whole chunk of many other network segments on campus will be throttled or blocked because of handful of users clicking on an expired link.

How is that any different from IPv4?
For IPv4, everyone the campus shares the same IPv4.
For IPv6, you share the same /56 or /48 prefix.
IPv4 can even be worse because of CG-NAT, where you share the same IPv4 with strangers.

[DanScharon]

How is that any different from IPv4?

Nextcloud's bruteforce protection throttles/blocks only that one IPv4 address, not its whole subnet.

For IPv4, everyone the campus shares the same IPv4

No. I can hardly imagine any university which has only one public IPv4 address for all its wifi users behind a NAT.
Besides that, on our campus wifi, every client gets a private IPv4 address (besides IPv6) which has a route without any NAT towards our Nextcloud instance. That means for our Nextcloud there is just one IPv4 address for each wifi client device.

For IPv6, you share the same /56 or /48 prefix. IPv4 can even be worse because of CG-NAT, where you share the same IPv4 with strangers.

Irrevelant for our described use case

[jameskimmel]

Nextcloud's bruteforce protection throttles/blocks only that one IPv4 address, not its whole subnet.

The equivalent of a single IP in the IPv4 world is a /48 prefix in the IPv6 world.
There will always be a chance of collateral damage.
For IPv4 this is because you share the same IPv4 behind NAT with many devices, or even worse, your WAN is already behind NAT (CG-NAT).
For IPv6, you not getting a /48 is the equivalent of you getting an CG-NAT IPv4.

No. I can hardly imagine any university which has only one public IPv4 address

True, but for every IPv4, you should also get a /48 prefix.
Technically it is even easier for your ISP to give you multiple /48 prefixes than to give you multiple IPv4.

every client gets a private IPv4 address (besides IPv6) which has a route without any NAT towards our Nextcloud instance.

And the same can be done for IPv6 with ULA.

Your example of the expired links isn't an IPv6 problem.

Only allowing 10 links until you get banned, while at the same time allowing 64k attacks (with /64 blocking) or 256 attacks (with /56 blocking) from one single /48 customer would be a strange imbalance.